I was just following the example of the existing code, which imported the module inside the function. Elsewhere in the same module there's a similar import of random within another function, so I assumed there was some benefit to delaying the import until it's needed, since Django does this in many places.

I personally don't do late imports, but this style seemed to fit the module better. But really, it probably doesn't matter either way.

This really isn't a change with any value; salt doesn't need to be particularly cryptographically strong as long as it's random enough; the point is to exponentially increase the search space for password crackers. The current code is fine.